Cryptographic system memory management

ABSTRACT

In one example, a system for managing encrypted memory comprises a processor to store a first MAC based on data stored in system memory in response to a write operation to the system memory. The processor can also detect a read operation corresponding to the data stored in the system memory, calculate a second MAC based on the data retrieved from the system memory, determine that the second MAC does not match the first MAC, and recalculate the second MAC with a correction operation, wherein the correction operation comprises an XOR operation based on the data retrieved from the system memory and a replacement value for a device of the system memory. Furthermore, the processor can decrypt the data stored in the system memory in response to detecting the recalculated second MAC matches the first MAC and transmit the decrypted data to cache thereby correcting memory errors.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation-In-Part of U.S. patentapplication Ser. No. 14/998,054 titled “Memory Integrity with ErrorDetection and Correction” filed on Dec. 24, 2015, the contents of whichare incorporated by reference as though fully set forth herein.

TECHNICAL FIELD

This disclosure relates generally to managing data stored in memory andspecifically, but not exclusively, to managing encrypted data stored inmemory.

BACKGROUND

Computing devices can store data in a hierarchical manner in which datais transmitted between a larger storage device and smaller cache memorydevices. In some examples, the data can be stored in an encrypted formatin storage devices and unencrypted in smaller on-chip cache devices. Insome examples, error correcting code (ECC) memory techniques can be usedto detect errors in the data stored in memory devices. The ECC memorytechniques can be deterministic and reversible, but not cryptographic.

BRIEF DESCRIPTION OF THE DRAWINGS

The following detailed description may be better understood byreferencing the accompanying drawings, which contain specific examplesof numerous features of the disclosed subject matter.

FIG. 1 illustrates a block diagram of a computing device that can manageencrypted data;

FIG. 2 illustrates a block diagram of a dual in-line memory module;

FIG. 3 illustrates a process flow diagram for managing encrypted data;

FIG. 4 illustrates a process flow diagram for managing encrypted data;

FIGS. 5A and 5B illustrate examples of data structures for storingencrypted data;

FIG. 6 is a process flow diagram for managing encrypted data based on alevel of entropy of the data;

FIG. 7 is an example pipeline for managing encrypted data;

FIG. 8 is a process flow diagram for managing encrypted data;

FIG. 9 is a process flow diagram for managing encrypted data based on acorrection value as a second MAC value;

FIGS. 10A and 10B are examples of techniques for managing encrypted datawith a block correction value as a second MAC; and

FIG. 11 is an example of a tangible, non-transitory computer-readablemedium for managing encrypted data.

In some cases, the same numbers are used throughout the disclosure andthe figures to reference like components and features. Numbers in the100 series refer to features originally found in FIG. 1; numbers in the200 series refer to features originally found in FIG. 2; and so on.

DESCRIPTION OF THE EMBODIMENTS

Error correcting code (ECC) memory can include using additionalintegrated circuits or devices or chips of physical memory to correctcorrupted data, which can increase system costs. Additionally, ECCmemory techniques may not be cryptographic. Techniques described hereinprovide for cryptographically secure ECC methods while maintaining errorcorrecting capabilities to provide high performance memory that canmitigate random bit errors, memory based integrated circuit failures,and malicious adversaries. A memory based integrated circuit, alsoreferred to herein as a device, can include any suitable hardware orlogic chip for storing a predetermined number of bits in a storagedevice. The techniques described herein are cryptographically secure andperform the task of both error correction and providing memory integrityincluding support for multiple encryption keys/MKTME (Multi-Key TotalMemory Encryption), replay prevention, and cryptographically strong datacorruption detection even by a physical adversary. Additionally, thetechniques described herein may not require the use of additional ECCmemory, and, thus, reduce memory costs.

The techniques described herein include utilizing a cryptographicallystrong message authentication code (MAC) or HMAC (hash messageauthentication code) to replace ECC detection mechanisms with astatistical trial and error approach. In some examples, devicecorrection codes are unrolled to test one device of memory at a timeagainst the secure hash, which can identify the memory device containingerrors and which bits flipped (up to a fully corrupted device).Unrolling, as referred to herein, can include performing an XORoperation or any other suitable logic operation on data stored inintegrated circuits in a memory device. In some examples, when combinedwith total memory encryption (TME/Multi-Key TME), heuristics can helpidentify potentially corrupted plaintext blocks given their entropy aserrors altering the ciphertext stored in memory will result in randomplaintexts when decrypted. Alternatively, compression can be used toencode detection codes (e.g. Reed-Solomon) within data cache lines toidentify/locate corrupted memory locations and reduce the cost/amount ofphysical memory needed to store these codes.

In some embodiments, a computing device can store a first messageauthentication code (MAC) based on data stored in system memory inresponse to a write operation to the system memory. A MAC as referred toherein can include any suitable message authentication code involving acryptographic hash function and a secret cryptographic key. In someembodiments, the computing device can also detect a read operationcorresponding to the data stored in the system memory and calculate asecond MAC based on the data stored in the system memory. The computingdevice can also determine that the second MAC does not match the firststored MAC and recalculate the second MAC subsequent to a correctionoperation, wherein the correction operation comprises an XOR operationbased on the data stored in the system memory and a replacement valuefor a device of the system memory. Furthermore, the computing device candecrypt the data stored in the system memory in response to detectingthe recalculated second MAC matches the first MAC, and transmit thedecrypted data to cache.

In some embodiments, a computing device can also store an encryptedfirst block correction value based on plaintext data to be stored insystem memory in response to a write operation to the system memory.Additionally, the computing device can detect a read operationcorresponding to the data stored in system memory and calculate a secondblock correction value based on the data stored in system memory, thesecond block correction value calculated based on an XOR operationcomprising the plaintext of the encrypted data stored in the systemmemory. In some embodiments, the computing device can determine that thesecond block correction value does not match a decrypted first blockcorrection value and recalculate the second block correction valuesubsequent to a correction operation, wherein the correction operationcomprises an XOR operation based on decrypted data stored in systemmemory and a replacement value for a device's data of the system memory.Furthermore, the computing device can decrypt the data stored in systemmemory in response to detecting the recalculated second block correctionvalue matches the first block correction value, and transmit thedecrypted data to cache.

The techniques described herein can prevent reconstruction of datastored in memory to produce a correct ECC code and provide for memoryprotection against random errors and failures. Additionally, thetechniques described herein enable detecting attempts to corrupt memoryby injecting data from one tenant to another tenant in a cross-keydomain attack or by flipping physical memory bits in a row-hammerattack, or otherwise physically manipulating a memory device. Becausethe techniques described herein are cryptographically non-deterministicto an adversary, no deterministic manipulation of the memory data by anadversary is possible such as to detection.

Reference in the specification to “one embodiment” or “an embodiment” ofthe disclosed subject matter means that a particular feature, structure,or characteristic described in connection with the embodiment isincluded in at least one embodiment of the disclosed subject matter.Thus, the phrase “in one embodiment” may appear in various placesthroughout the specification, but the phrase may not necessarily referto the same embodiment.

FIG. 1 is a block diagram of an example of a host computing device thatcan manage encrypted data. The host computing device 100 may be, forexample, a mobile phone, laptop computer, desktop computer, or tabletcomputer, among others. The host computing device 100 may include aprocessor 102 that is adapted to execute stored instructions, as well asa memory device 104 that stores instructions that are executable by theprocessor 102. The processor 102 can be a single core processor, amulti-core processor, a computing cluster, or any number of otherconfigurations. The memory device 104 can include random access memory,read only memory, flash memory, or any other suitable memory systems.The instructions that are executed by the processor 102 may be used toimplement a method that can transmit encrypted image data.

The processor 102 may also be linked through the system interconnect 106(e.g., PCI®, PCI-Express®, NuBus, etc.) to a display interface 108adapted to connect the host computing device 100 to a display device110. The display device 110 may include a display screen that is abuilt-in component of the host computing device 100. The display device110 may also include a computer monitor, television, or projector, amongothers, that is externally connected to the host computing device 100.The display device 110 can include light emitting diodes (LEDs), andmicro-LEDs, among others.

In addition, a network interface controller (also referred to herein asa NIC) 112 may be adapted to connect the host computing device 100through the system interconnect 106 to a network (not depicted). Thenetwork (not depicted) may be a cellular network, a radio network, awide area network (WAN), a local area network (LAN), or the Internet,among others.

The processor 102 may be connected through a system interconnect 106 toan input/output (I/O) device interface 114 adapted to connect thecomputing host device 100 to one or more I/O devices 116. The I/Odevices 116 may include, for example, a keyboard and a pointing device,wherein the pointing device may include a touchpad or a touchscreen,among others. The I/O devices 116 may be built-in components of the hostcomputing device 100, or may be devices that are externally connected tothe host computing device 100.

In some embodiments, the processor 102 may also be linked through thesystem interconnect 106 to any storage device 118 that can include ahard drive, an optical drive, a USB flash drive, Solid State Drive orother non-volatile memory, an array of drives, or any combinationsthereof. In some embodiments, the storage device 118 can include anysuitable applications and stored data.

In some embodiments, the processor 102 can include any suitable numberof logic modules executable by a memory controller 119. In someexamples, the memory controller 119 (or Memory Management Unit) is logicon the processor 102 that interacts with the external system memorydevice 104. The memory controller 119 can interact with the externalmemory 104 for read/write operations, to transmit or receive data, tocompute/manage the MACs, error correction codes, encryption/decryption,and the like. In some examples, a MAC manager 120 can store a firstmessage authentication code (MAC) based on data stored in system memoryin response to a write operation to the system memory. A MAC as referredto herein can include any suitable message authentication code involvinga cryptographic hash function and a secret cryptographic key. In someembodiments, the MAC manager 120 can also detect a read operationcorresponding to the data stored in the system memory and calculate asecond MAC based on the data stored in the system memory. The MACmanager 120 can also determine that the second MAC does not match thefirst MAC and recalculate the second MAC subsequent to a correctionoperation, wherein the correction operation comprises an XOR operationbased on the data stored in the system memory and a replacement valuefor a device of the system memory. Furthermore, a decryption manager 122can decrypt the data stored in the system memory in response todetecting the recalculated second MAC matches the first MAC. In someembodiments, a data transmitter 124 can transmit the decrypted data tocache 126 residing on a processor 102, or any other suitable cache ormemory device. In some examples, the cache 126 (or cache hierarchy) islocated between the processor 102 and memory controller 119. In someembodiments, the processor 102, cache 126, and memory controller 119 canbe on the same physical chip/die or package.

Alternatively, in some embodiments, the MAC manager 120 can store anencrypted first correction value based on data stored in system memoryin response to a write operation to the system memory. Additionally, theMAC manager 120 can also detect a read operation corresponding to thedata stored in system memory and calculate a second block correctionvalue based on the data stored in system memory, the second blockcorrection value calculated based on an XOR operation comprisingplaintext data stored in the system memory. In some embodiments, the MACmanager 120 can determine that the second block correction value doesnot match a decrypted first block correction value and recalculate thesecond block correction value with a correction operation, wherein thecorrection operation comprises an XOR operation based on decrypted datastored in system memory and a replacement value for a device of thesystem memory. Furthermore, the decryption manager 122 can decrypt thedata stored in system memory in response to detecting the recalculatedsecond block correction value matches the first block correction value,and the data transmitter 124 can transmit the decrypted data to cache.

It is to be understood that the block diagram of FIG. 1 is not intendedto indicate that the host computing device 100 is to include all of thecomponents shown in FIG. 1. Rather, the host computing device 100 caninclude fewer or additional components not illustrated in FIG. 1 (e.g.,additional memory components, embedded controllers, additional modules,additional network interfaces, etc.). Furthermore, any of thefunctionalities of the MAC manager 120, decryption manager 122, and datatransmitter 124 may be partially, or entirely, implemented in hardwareand/or in the processor 102. For example, the functionality may beimplemented with an application specific integrated circuit, logicimplemented in an embedded controller, or in logic implemented in theprocessor 102, among others. In some embodiments, the functionalities ofthe MAC manager 120, decryption manager 122, and data transmitter 124can be implemented with logic, wherein the logic, as referred to herein,can include any suitable hardware (e.g., a processor, among others),software (e.g., an application, among others), firmware, or any suitablecombination of hardware, software, and firmware.

FIG. 2 illustrates a block diagram of a dual in-line memory module(DIMM). In FIG. 2, the DIMM 200 can be a SIMM, SO-DIMM, NVDIMM, VLPDIMM,DDR DIMM, DDR2 DIMM, DDR3 DIMM, DDR4 DIMM, or DDR5 DIMM, among others.The DIMM 200 can include any number of devices or integrated circuits orchips. For example, eight devices for storing data are depicted in twomemory groups 202 and 204 of DIMM 200. In some examples, an errorrelated device 206 can reside proximate memory groups 202 and 204 andthe error related device 206 can store a MAC value. In some examples,the DIMM 200 can also include additional devices on a back side (notdepicted) of the DIMM 200. The back side of the DIMM 200 can alsoinclude memory groups and an error related device to store a devicecorrection value. The error related device 206 and the error relateddevice on the back of the DIMM 200 can provide additional memory tostore detection and correction codes.

It is to be understood that the block diagram of FIG. 2 is not intendedto indicate that the DIMM 200 is to include all of the components shownin FIG. 2. Rather, the DIMM 200 can include fewer or additionalcomponents not illustrated in FIG. 2 (e.g., additional memorycomponents, embedded controllers, additional sensors, additionalinterfaces, etc.).

FIG. 3 illustrates a process flow diagram for managing encrypted data.The method 300 illustrated in FIG. 3 can be implemented with anysuitable computing component or device, such as the computing device 100of FIG. 1.

At block 302, a MAC manager 120 can calculate and store a first MACbased on data being stored in system memory in response to a writeoperation to the system memory. For example, the MAC manager 120 candetect a write operation to system memory and use any suitablecryptographic MAC function with a second key, among others, to generatea MAC value based on the data stored in memory. In some embodiments, thedata stored in memory can include any suitable cipher text that isencrypted with any suitable encryption technique. The result of thelogical operation across blocks of device data can be stored as a devicedata block correction value.

At block 304, the MAC manager 120 can detect a read operationcorresponding to the data stored in the system memory. For example, theMAC manager 120 can detect an attempt to execute an instruction based onthe encrypted data stored in system memory.

At block 306, the MAC manager 120 can calculate a second MAC based onthe encrypted data retrieved from the system memory. The MAC manager 120can apply the same MAC function used on the write operation, as well asuse the same key, in order to produce a matching MAC.

At block 308, the MAC manager 120 can determine that the second MAC doesnot match the first MAC. For example, the MAC manager 120 can detect ifbits of data stored in memory have flipped since the data was stored inmemory as part of a write operation. In some examples, the flipped bitsin memory can represent data corrupted by a malicious attempt tomanipulate the data stored in memory.

At block 310, the MAC manager 120 can recalculate the second MAC with acorrection operation, wherein the correction operation comprises an XORoperation based on the device data blocks retrieved from the systemmemory and a replacement value for an excluded device data block of thesystem memory. In one example, a replacement value (also referred toherein as an unrolled correction value) can repair corrupted data storedin a device of a memory. For a simplified example, a hypothetical 16 bitcache line may consist of four 4-bit integrated circuits or device datablocks and a 4-bit MAC such as 1010 (block1), 0100 (block2), 1101(block3), 1011 (block4), and 0010 (MAC). The MAC value can be calculatedbased on a keyed secure hash operation of device data blocks 1-4. Thecorrection value can be a combination of devices 1-4 based on a logicalXOR operation, which results in a value of 1000. The MAC value may alsobe included in the XOR operation resulting in a 1010 device blockcorrection value (BC). In some examples, the correction value can beused to re-construct any of the missing device data blocks including theMAC device with XOR operations, assuming the other devices areerror-free. For example, a substitution data block for an erroneousdevice 1 can be calculated based on a logical XOR operation of thecorrection value, the MAC value, and the values of device data blocks2-4. Additionally, the second MAC value can be calculated based on akeyed secure hash operation combining the replacement correction valuefor device 1 with the values of device data blocks 2-4 and the storedfirst MAC value. This second calculated MAC value should match the firststored MAC value if the erroneous device data was repaired by beingsubstituted with the replacement value. The replacement value shouldthen be used instead of the erroneous device data block. Otherwise, thecalculated second MAC value will not match the first stored MAC valuewith a high probability.

At block 312, the decryption manager 122 can decrypt the data stored inthe system memory in response to detecting the recalculated second MACmatches the first MAC. At block 314, the data transmitter 124 cantransmit the decrypted data to cache.

In some embodiments, the process flow diagram of FIG. 3 is not intendedto indicate that the operations of the method 300 are to be executed inany particular order, or that all of the operations of the method 300are to be included in every case. Additionally, the method 300 caninclude any suitable number of additional operations. For example, thetechniques herein can be applied to correct a block or integratedcircuit of any suitable size. In some examples, there can be a trade-offbetween block correction value size and the number of correctionattempts used to correct one erroneous data block. As shown below, thecache line can be represented as a set of N device data blocks B[0], . .. , B[N−1] of size S. In some embodiments, any suitablecryptographically secure hash function can be used as a MAC function,for instance SHA-3-based MAC, among others. In some examples, a MACfunction accepts any suitable secret key and a number of data blocks asinput as illustrated by Equation 1 below:MAC=SHA3(key,B[0]∥ . . . ∥B[N−1])  Eq. 1

In some embodiments, the key may be selected based on meta data or keyidentifiers that are part of a memory address. In some examples,alternative MAC functions may include the memory address of the dataline in memory as part of the hashed data. Additionally, in someexamples, the MAC function can be calculated with any suitablealternative cryptographically secure hash function such as SHA-1, orSHA-2, among others.

In some examples, the device block correction value (BC) can becalculated as an XOR operation:BC=MAC⊕B[0]⊕ . . . ⊕B[N−1]  Eq. 2

In some examples, data returned from a memory read is B′[0] . . .B′[N−1], which may be equal to B[0] . . . B[N−1] if there was no error.If a MAC mismatches, a repair value (RV) can be calculated with an XORoperation as, where one of the device data blocks B′[i] from the set ofB′[0] through B′[N−1] is left out of the equation:RV=BC⊕MAC⊕B′[0]⊕ . . . ⊕B′[N−1]  Eq. 3

As discussed above, an attempt to repair each device and verify the MACin a correction operation can include for each device data:MAC′=SHA3(key,B′[0]∥ . . . ∥B′[i] substitute RV)∥ . . . ∥B′[N−1])  Eq. 4

In some examples, the MAC function can be calculated with any suitablealternative cryptographically secure hash function such as SHA-1, orSHA-2, among others. If MAC′ matches the MAC, then the repaired valuecan be returned in place of the erroneous device data block. Otherwise,a return error can be provided.

Alternatively, the repair value RV can be calculated for each devicewithout XORing that device's data block with the other device's datablocks. In this example, the RV can replace a device data block during arepair attempt. In some examples, S=32 and N=16. However, S and N can beany suitable value. In one examples, if S=1, and N=512, each bit can beflipped and the MAC can be verified following each bit flip. In thisexample, the BC may not be stored.

FIG. 4 illustrates a process flow diagram for managing encrypted data.The method 400 illustrated in FIG. 4 can be implemented with anysuitable computing component or device, such as the computing device 100of FIG. 1.

At block 402, a MAC manager 120 can calculate a MAC. In some examples,the MAC is calculated in response to a read operation as discussedabove. The MAC manager 120 can calculate the MAC with a keyed securehash operation based on encrypted data stored in any suitable number ofintegrated circuits or devices comprising a cache-line of data.

At block 404, the MAC manager 120 can determine if the calculated MACmatches a stored MAC. If the calculated MAC matches a stored MAC, theprocess flow continues at block 406, where an error is corrected (ornever existed), data is decrypted and sent to a cache device. If thecalculated MAC does not match a stored MAC, the process flow continuesat block 408, where each of the integrated circuits or memory devicesare tested.

If each of the integrated circuits or devices comprising a cache-line ofdata are tested but the first and second MACs never match, then theprocess continues to block 410, where a non-correctable error isreported. If each of the integrated circuits or devices in a comprisinga cache-line of data have not been tested, the process flow continues atblock 412. At block 412, the MAC manager 120 can skip a next integratedcircuit or device data block in an XOR calculation, and substitute anunrolled or XORed repair value (RV) to compute a MAC value. The processflow returns to block 402.

In some examples, the techniques herein can be used with a MAC size ofany suitable length. For example, two spare integrated circuits ormemory devices can be used to store two 32 bit values if the MAC valueis 64 bits. The two 32 bit MAC values can be combined with a logical oroperation. In some embodiments, two MAC values can be calculated inresponse to a read operation, and the results of the two MAC values canbe concatenated to generate a 64 bit MAC value.

In some embodiments, the techniques herein can use one attempt perintegrated circuit or device of a memory DIMM comprising a cache-line ofdata to correct single bit errors or multibit errors within a singledevice or integrated circuit. In some examples, the techniques can alsocorrect multiple single bit errors across multiple devices or integratedcircuits. For example, if there is a one bit error each in two separatedevices, the fully unrolled or XORed correction value can show two bitshave flipped. In some embodiments, the MAC can be tested by flipping thevarious combination of bits in each device data block. For example, for8 DDR5 devices, two bit positions per device data block across n devicescan be flipped. Accordingly, sixty-four MAC tests can identify bothdevices containing individual single bit errors.

In some examples, if a fully unrolled or XORed correction value has alarge number of flipped bits, then the error is likely a full devicefailure. Device failures can persist across a number of memory reads,but use less attempts to fix. For example, adding only 22*8 extra clocksfor SHA3 encryption may be the worst case for DDR5 memory, and theseoperations can be performed in parallel. In some examples, SHA3encryption takes fewer clock cycles than AES-XTS decryption, sointegrity does not add any performance overhead for memory reads beyondencryption when the MAC is calculated over the cipher text and computedin parallel with decryption on a memory read operation.

The process flow diagram of FIG. 4 is not intended to indicate that theoperations of the method 400 are to be executed in any particular order,or that all of the operations of the method 400 are to be included inevery case. Additionally, the method 400 can include any suitable numberof additional operations.

FIGS. 5A and 5B depict examples of data structures for storing encrypteddata. In some examples, each device 502A can include any suitable numberof bits. For example, each device 502A can include a 16 bit value, 32bit value, or 64 bit value, among others. In some embodiments, anynumber of devices can be equal to an encryption key or encryption blockin size. For example, devices 502A, 504A, 506A, and 508A, if 32 bits insize, may be equal to a block size of data encrypted with AES. In someembodiments, a correction value 510A is generated by calculating aresult of an XOR operation based on a previously stored MAC value 512Aand encrypted data values stored in device data blocks 502A, 504A, 506A,508A, and, likewise, all the rest of the devices shown in 514Acontributing to the cache-line of data.

In FIG. 5B, device data blocks 502B, 504B, 506B, 508B, and 510B canstore encrypted data in memory. In some examples, a replacement value512B is generated for device data block 504B based on an XOR operationof device data blocks 502B, 506B, 508B and all the other device datablocks shown as 510B, MAC 514B, and correction value 516B. For example,if the stored MAC 514B fails to match the calculated MAC 518B of thedata line (the combined device data blocks), the replacement value 512Bcan be generated with an XOR operation (also referred to herein asunrolling) based on the MAC value 514B, correction value 516B, and eachof the device data blocks excluding the one device data block beingtested. For example, device data block 504B can be excluded from the XORsequence to determine if the device data block 504B includes erroneousbits as the resulting replacement value is used in place of device datablock 504B and the recalculated second MAC matches the stored first MAC.

FIG. 6 illustrates a process flow diagram for managing encrypted databased on an entropy level of the data. The method 600 illustrated inFIG. 6 can be implemented with any suitable computing component ordevice, such as the computing device 102 of FIG. 1. The method 600 canutilize heuristics to localize which device or portion of a memorydevice likely failed. For example, if a decrypted AES block shows randomplaintext, likely one of the device data blocks contributing to that AESblock failed.

At block 602, the MAC manager 120 can detect that a calculated MAC doesnot match a stored MAC value. At block 604, the MAC manager 120 candecrypt a number of blocks of data in stored memory. In someembodiments, the number of decrypted device data blocks is equal to alength of an encryption key. For example, four device data blocks eachstoring thirty-two bits may be decrypted for a one-hundred andtwenty-eight bit encryption block. In some examples, a size of the blockcorresponds to a size of a block cipher's input or output. For example,a block cipher such as AES128 can use a 128 bit key to encrypt/decrypt a128 bit block size of data. Alternatively, a block cipher such as AES256can use a 256 bit key to encrypt/decrypt the same size data block of 128bits.

At block 606, the MAC manager 120 can determine if the plaintext of thedecrypted data block has an entropy that is below a threshold value. Forexample, if the number of zero bits and one bits in the plaintext isapproximately equal or has an equal distribution, the entropy is above athreshold due to the random nature of the data. Accordingly, the method600 can include ignoring plaintext data with low entropy, or choosingthe blocks with the highest entropy for replacement tests first. In oneexample, a decrypted block with multiple 8 bits of zeros in byte alignedpositions may not be considered random or corrupted, so those devicescomprising the block can be eliminated from the process of identifying acorrupted data block with errors. In other examples, decryptedplaintexts with repeating values or values similar to other decryptedblocks are considered to have lower entropy, and may be at first skippedin the replacement value tests as they are unlikely to be the source ofthe memory corruption.

If the plaintext of the decrypted data has an entropy that is above athreshold value, the process flow continues at block 608. At block 608,the MAC manager 120 can determine if each block of data is corrected byreplacing the device data block with a correction value as discussedabove in relation to FIG. 3. If the plaintext of the decrypted data hasan entropy below a threshold value, the process flow continues at block610 by testing a subsequent number of blocks of data before returning toblock 602 of the process flow diagram. The MAC manager may alsorecalculate the second MAC after each device data block is substitutedwith a replacement value for the decrypted block of the highest entropy.

In some embodiments, compression can also be used on data to fitReed-Solomon codes or similar ECC error detection codes within the datacache lines. If these codes are duplicated across multiple blocks, thenthey can also be used to precisely identify the bit error locationswithout requiring trial and error. Similarly, compression of the dataline can allow the MAC value to be stored in the space freed bycompression, reducing the need for additional memory to hold the MACvalues. Furthermore, if there is a device failure, or stuck at fault, itis likely across multiple memory reads to aligned memory locationscorresponding to the same device. This means that multiple adjacentreads will experience the same fault location. This will help the errorcorrection focus on the most likely device for stuck failure, again,reducing the trial and error.

The process flow diagram of FIG. 6 is not intended to indicate that theoperations of the method 600 are to be executed in any particular order,or that all of the operations of the method 600 are to be included inevery case. Additionally, the method 500 can include any suitable numberof additional operations.

FIG. 7 depicts a pipeline technique for calculating a MAC. In someembodiments, a pipeline for MAC calculations can be used forspeculatively repaired device data blocks instead of sequential MACcalculation for each repair attempt. For example, in a fully pipelineddesign (1 stage/clock cycle), at each clock cycle i=0 . . . 15, thecache line can be submitted with “repaired” device i into the MACgeneration pipeline, such that the MAC values are computed in parallel.In one example, assuming an SHA-3 encryption pipeline with 22 cycleslatency, total latency results can be a best case of 22 cycles, a worstcase of 47 cycles, and an average case of 29 cycles. In some examples,an SHA-3 pipeline may be partially pipelined to match the throughput,i.e., accepting one cache line every four cycles. In some embodiments,repair of the device storing a MAC value does not require recalculationof the MAC value over cache line data since the data is unchanged in arepair attempt. Rather, the process can include performing XORoperations to generate a “repaired” MAC and try to match the repairedMAC with the MAC generated over the raw read data. In some examples,this repair attempt can be executed first before trying to repair anydevice data block, which can have at least 22 cycles latency due to MACre-calculation.

In the example 700 of FIG. 7, a fully pipelined SHA-3 engine consists of22 identical concatenated stages, each of which has a set of stateregisters and combinational logic for a Keccak function. The input canbe supplied to each stage and the last stage provides the output. Toincrease the utilization of this pipeline, a loop of the pipeline stagesK 702 can feed the input 702 to any of the pipeline stages through theinputs in0 . . . in21 704. The output for a particular input data isretrieved after 22 cycles from the corresponding output out0 . . . out21706.

This looped design allows for loading multiple input cache lines in thesame cycle and processing them in parallel instead of skewed by onecycle. This is useful when calculating MACs to repair a device datablock. In best case, if the pipeline is empty, the “repaired” cachelines can be loaded in parallel to determine which device was faulty,therefore reducing the latency. In some examples, unused inputs can beused to calculate MACs for other data responses arriving from memory.This improves the latency and the throughput for memory-intenseworkloads with frequent DRAM errors. A hardware arbiter can be used tokeep track of the MAC computations that are in-flight and to multiplexinput data into the appropriate stages. This approach can also beapplied to a partially pipelined design, in which each stage appliesmultiple rounds of Keccak function to the current state untiltransferring it to the next stage. Each of these stages can have anexternal input and output as described above, in order to maximizeutilization of each stage.

FIG. 8 illustrates a process flow diagram for managing encrypted data.The method 800 illustrated in FIG. 8 can be implemented with anysuitable computing component or device, such as the computing device 102of FIG. 1.

At block 802, the MAC manager 120 can store an encrypted first blockcorrection value and a first MAC value based on data stored in systemmemory in response to a write operation to the system memory. The firstblock correction value comprises the XOR of the plaintext of each blockof data in a data line written to memory. Additionally, the MAC managermay calculate an additional MAC value for the encrypted data in the dataline and store the additional MAC value to memory. At block 804, the MACmanager 120 can detect a read operation corresponding to the data storedin system memory.

At block 806, the MAC manager 120 can calculate a second blockcorrection value based on the data stored in system memory. In someexamples, the second block correction value can be calculated based onan XOR operation comprising plaintext data or decrypted data of eachblock of a data line stored in the system memory. In some examples, thesecond block correction value can be generated in response to a readoperation.

At block 808, the MAC manager 120 can determine that the second blockcorrection value does not match a decrypted first stored blockcorrection value. In this case, the MAC manager 120 may fetch theadditional stored MAC value from memory and calculate a second MAC ofthe data line stored in memory. If the stored MAC matches the secondcalculated MAC, then the block correction code is determined to be inerror and the data may be decrypted and sent to cache. If the stored MACdoes not match the second calculated MAC at block 810, the MAC manager120 can recalculate, at block 812, the second block correction valuewith a correction operation. In some embodiments, the correctionoperation comprises an XOR operation based on the decrypted data blocksstored in system memory, and a replacement value for a device data blockor integrated circuit of the system memory is determined by leaving outthe device data block and using the remaining block correction value inplace of the decrypted device data block plaintext. The replacementvalue is then encrypted with a secret key (used to encrypt the devicedata blocks) and the second MAC is recalculated using the remainingencrypted blocks and the encrypted replacement value.

At block 814, the decryption manager 122 can decrypt the data stored insystem memory comprising a cache-line in response to detecting therecalculated second MAC value matches the first stored MAC value. Atblock 816, the data transmitter 124 can transmit the decrypted data tocache.

The process flow diagram of FIG. 8 is not intended to indicate that theoperations of the method 800 are to be executed in any particular order,or that all of the operations of the method 800 are to be included inevery case. Additionally, the method 800 can include any suitable numberof additional operations. In the method 800, the block correction codeitself can securely (in an unforgeable way) detect the data has at leastone error. The additional MAC value can be used to determine when anyerrors are corrected or fixed. If there is no error, the additionalstored MAC value is not retrieved. In some embodiments, the additionalMAC value may be stored in a separate memory location, thus, removingthe need for additional devices on a memory device, such as a DIMM, forthe MAC. Some embodiments may eliminate the additional stored MAC valueentirely by using the entropy of each decrypted block of data todetermine which device/block is in error and using the replacement valuein place of the highest entropy decrypted block of data as illustratedin FIG. 6. Likewise, data compression techniques can be used to fit aMAC within space freed by compression of the data line.

FIG. 9 is a process flow diagram for managing encrypted data. In someembodiments, the method 900 can include transforming each device datablock before calculating the error correction code. One transform is touse a small block size cipher (e.g. SIMON, SPECK, PRINCE, among others),where the block size matches the device size, to encrypt each deviceindividually with a secret key before XORing each resulting cipher text.Some embodiments may include a tweak, for example using XTS (XEX-basedtweaked-codebook mode with ciphertext stealing) or other tweakable mode,where the tweak is comprising the address of the device data block tocreate a memory position/location dependent ciphertext. Which key isused to encrypt/decrypt the data line may also be selected by additionaladdress bits or other cacheable meta-data indicating which key to usefrom a set of keys.

Accordingly, even the correction code is secure. For example, anencryption of each device with a small block size cipher can be used asinput to the XOR function to compute the XORed Correction code. Anattacker would need to know this secret function output to get all thedevice data blocks to unroll to zero. Therefore, both the MAC and thecorrection codes work together, improving security of the block.

At block 902, the MAC manager 120 can calculate a MAC, decrypt data, anddecrypt a block correction value in response to a read operation. Insome examples, the block correction value is stored in an encryptedformat from a previous write operation. In some embodiments, the MAC canbe calculated based on the encrypted data stored in memory prior todecryption.

At block 904, the MAC manager 120 can determine if the decrypted blockcorrection value matches an XOR result based on the plaintext data ordecrypted data. If the block correction value matches the XORedplaintext data blocks, the process flow continues at block 906 and thedecrypted data is sent to cache. If the block correction value does notmatch the XORed plaintext data blocks, the process flow continues atblock 908.

At block 908, the MAC manager 120 can determine if the calculated MACmatches a stored MAC. If the calculated MAC matches a stored MAC, theprocess flow continues at block 906 by sending decrypted data to a cachedevice. If the calculated MAC does not match a stored MAC, the processflow continues to block 910. At block 910, the MAC manager 120 can skipto a next device data block in an XOR calculation, substitute thedecrypted block correction value for a decrypted device data block,re-encrypt the replacement value, and re-calculate a MAC over theremaining encrypted device data blocks and the encrypted replacementvalue before returning to block 908. Therefore, in order for a corruptedcache line to pass the integrity check, an attacker must not only forgethe MAC, but also forge the block correction value, which is generatedusing a secret key. Therefore, this effectively becomes a two MACsolution, particularly when a stronger (larger) MAC is needed than canfit in the error detection code's device data block. As DRAM devicedensities increase, the above scheme is also effective at reducing ECCmemory costs as the MAC may be stored separately in sequestered (e.g.allocated by software) memory or as a table structure in memory (tableindexed by the memory address associated with each table entry). Theextra ECC chip/device on the DIMM for the ECC error detection codeand/or MAC may therefore be eliminated. Meanwhile, the sequesteredmemory for the MAC may be used when the device correction fails tomatch. The MAC is used to determine which of the correction valuessucceeded or if the correction device was the failing part as the MACwill match the uncorrected data line value. Finally, techniques likecompression may be used to embed the MAC within the data line (whencompressible), using a MAC lookup only for data cache lines that do notcompress. This can further reduce the amount of sequestered memoryrequired and reduce the number of memory lookups when correcting memoryerrors.

FIGS. 10A and 10B depict techniques for managing encrypted data with ablock correction value and a second MAC. In FIG. 10A, on a memory write,the encrypted data 1002A can be used to calculate a MAC 1004A that isstored separately. Additionally, a decrypted version of the data orplaintext data 1006A can be combined with an XOR operation to generateXORed plaintext 1008A that is a correction value 1010A. The correctionvalue 1010A can be stored in an encrypted format 1012A as an encryptedblock correction value.

In FIG. 10B, on a memory read, all the device data blocks for a memoryline are decrypted. Each device block's plaintext is then XORed togetherand compared with the decrypted block correction value 1010B. Eachdevice of data 1002B can be decrypted before XORing the plaintext 1004Bto generate XORed plaintext 1006B. In some examples, the encrypted blockcorrection value 1008B can be decrypted to generate a decrypted blockcorrection value 1010B that is compared to the XORed plaintext 1006B. Insome examples, when the decrypted value of 1010B and 1006B do not match,the XORed plaintext 1006B can be XORed with the decrypted blockcorrection value 1010B while leaving out one device/block at a time fromthe 1006B calculation. The resulting block correction value is thenencrypted to produce the original encrypted erroneous device's datablock value. This value is then substituted for the left out device'sdata block and the MAC is recalculated and compared with the separatelystored MAC until the erroneous device's data block is identified andcorrected. In some examples, even when the MAC passes, the blockcorrection value should unroll or generate a zero value as a result ofan XOR operation when the blocks/devices are transformed and XORed withthe original block correction value.

In some embodiments, techniques described herein can also provide replayprotection even when multiple keys (MKTME) were used to AES-XTS encryptthe data. For example, the MAC manager 120 can periodically rekey theMAC values with a unique key where the MAC is recomputed using the MKTMEAES-XTS cipher text and a unique MAC key. The rekeying can coincide withmemory refresh in which the memory is read, the MAC is computed with anold key, compared with the old stored MAC for the same memory line, andif these values match, the MAC is recomputed with the new key beforewriting the new MAC back to the memory. In some examples, techniques canuse a construct such as ICV, which is equal to HMACrk(Ck) XORAESk(Address). This construct allows a refreshing key rk for the HMAC.This independently combines the MAC over the data cipher text (Ck) froma particular domain key (k) and a key dependent test using the tweak(XTS tweak using the address).

In this example, if an adversary or unauthorized user replays contentfrom another key domain for the same memory address, the HMAC over thecipher text will compute correctly but the address based tweak using thecurrent key domain key k will not match on a memory read. The MACmanager 120 may compute the old HMAC (using the previous refresh key rk)over the cipher text data cache line, XOR the data cache line contentsfrom the stored ICV and XOR it with the new HMAC using the refreshedkey.

In some embodiments, the MAC manager 120 can use an alternativeconstruct to rekey a MAC. For example, the MAC manager 120 can use theconstruct ICV, which is equal to HMACrk(Ck) XOR HMACk(Address). Thisconstruct provides cipher text corruption detection, is scalable crosskey domain corruption detection, and can refresh for restricting replaywithout additional MAC keys.

In another embodiment, the MAC manager 120 can use the construct ICV,which is equal to ENCRYPTrk (SHA3(Ck,TWEAKk)) to rekey MAC values. HereENCRYPT can be a small block cipher (e.g. SIMON, among others) that isthe same size as the truncated SHA3 HMAC (e.g. 32 bits or 64 bits, etc.)encrypting the HMAC with the refreshing key rk. The HMAC also containsan XTS based tweak (e.g. AES encrypted memory Address based on the dataencryption key) in addition to the cipher text based on the dataencryption key k. This allows the ICV to prevent both cross-domainattacks and be bound to the memory address/location where the data isphysically stored. The tweak operation can be the same as used to XTSencrypt the data to produce Ck, but a different tweak offset can be usedexclusively for this operation (e.g. based on an extended address valueto produce an additional unique tweak value from the tweaks used toencrypt the data line). Similarly, other cryptographic key derivationtechniques can be used instead of the tweak to produce a data encryptionkey dependent HMAC. In some examples, the TWEAKk based on the dataencryption key k is effectively a key derivation function that makes theSHA3 hash algorithm output a MAC which may then be truncated. Theadvantage of using the tweak with the encryption key is that iteliminates the need to store separate keys for calculating the MAC.Rather, the encryption key can be reused through a key derivationfunction that is encrypting the memory address (with padding) for theencrypted data line (Ck) using the encryption key k. Likewise, anysecure hash function may be used in place of SHA3 and any key derivationfunction may be used in place of the TWEAK.

A replay/version tree can also be used with this construct. Here theembedded MACs are the ECC memory MACs as described previously. The MACof the replay tree can include a parent counter value for the cacheline. A root counter/nonce (or counters/nonces for multiple memoryregions) can also be embedded in the hardware, on-die. The first levelin the tree in memory contains a cache line with a set of counter/noncevalues and the MAC in ECC memory. This MAC is calculated over all thecounter values comprising the cache line and the associated rootcounter/nonce stored on-die. Each counter/nonce value on the line is aparent for the next level of the tree. The next level of the tree is aline with counter/nonce values, again where the MAC in ECC memory hashesall the counter/nonce values in the line and a single parentnonce/counter from the previous line in the tree. The last level/leaf ofthe tree consists of the data line and its MAC in ECC memory asdescribed previously, the one difference being that the MAC is alsohashed over the parent counter/nonce value. In this way, replay can beprevented as every time data is written to memory, the root counter andall counter values in the branch of the counter/nonce tree leading tothe updated data line are incremented/updated and all the affected MACsin ECC memory recalculated. On a memory read, the MACs are verified forthe branch of the tree related to the read data line by checking thatthe counter/nonce values are correct/unmodified. The MAC values can becalculated with a different secret key than the key used to encrypt thedata lines, and the MAC computed over the AES-XTS cipher text of thedata line, thereby allowing different data to be encrypted withdifferent keys such as MKTME.

In some embodiments, the ECC/Integrity values can also be stored toseparate memory locations so they don't require the addition of physicalECC memory/ECC DIMMs. Additional memory reads/writes will be used tofetch the ECC/integrity values from the separate memory locations inthis case. For example, the ECC correction field can be extended to bothcorrect memory and be an HMAC for detecting errors. Using entropy teststo validate which device is likely in error eliminates the need to storeany other values, saving half of the ECC memory overhead and reducingcosts.

FIG. 11 illustrates a block diagram of a non-transitory computerreadable media for managing encrypted data. The tangible,non-transitory, computer-readable medium 1100 may be accessed by aprocessor 1102 over a computer interconnect 1104. Furthermore, thetangible, non-transitory, computer-readable medium 1100 may include codeto direct the processor 1102 to perform the operations of the currentmethod.

The various software components discussed herein may be stored on thetangible, non-transitory, computer-readable medium 1100, as indicated inFIG. 11. For example, a MAC manager 1106 can store a first messageauthentication code (MAC) based on data stored in system memory inresponse to a write operation to the system memory. In some embodiments,the MAC manager 1106 can also detect a read operation corresponding tothe data stored in the system memory and calculate a second MAC based onthe data stored in the system memory. The MAC manager 1106 can alsodetermine that the second MAC does not match the first MAC andrecalculate the second MAC with a correction operation, wherein thecorrection operation comprises an XOR operation based on the data storedin the system memory and a replacement value for a device of the systemmemory. Furthermore, a decryption manager 1108 can decrypt the datastored in the system memory in response to detecting the recalculatedsecond MAC matches the first MAC. In some embodiments, a datatransmitter 1110 can transmit the decrypted data to cache residing on aprocessor 102, or any other suitable cache or memory device.

Alternatively, in some embodiments, the MAC manager 1106 can store anencrypted first block correction value based on data stored in systemmemory in response to a write operation to the system memory.Additionally, the MAC manager 1106 can also detect a read operationcorresponding to the data stored in system memory and calculate a secondblock correction value based on the data stored in system memory, thesecond block correction value calculated based on an XOR operationcomprising plaintext data stored in the system memory. In someembodiments, the MAC manager 1106 can determine that the second blockcorrection value does not match a decrypted first block correction valueand recalculate the second block correction value with a correctionoperation, wherein the correction operation comprises an XOR operationbased on encrypted data stored in system memory and a replacement valuefor a device of the system memory. Furthermore, the decryption manager1108 can decrypt the data stored in system memory in response todetecting the recalculated second block correction value matches thefirst block correction value, and the data transmitter 1110 can transmitthe decrypted data to cache.

It is to be understood that any suitable number of the softwarecomponents shown in FIG. 11 may be included within the tangible,non-transitory computer-readable medium 1100. Furthermore, any number ofadditional software components not shown in FIG. 11 may be includedwithin the tangible, non-transitory, computer-readable medium 1100,depending on the specific application.

EXAMPLE 1

In some examples, a system for managing encrypted memory comprises aprocessor to store a first message authentication code (MAC) based ondata stored in system memory in response to a write operation to thesystem memory. The processor can also detect a read operationcorresponding to the data stored in the system memory, calculate asecond MAC based on the data retrieved from the system memory, anddetermine that the second MAC does not match the first MAC. Furthermore,the processor can also recalculate the second MAC subsequent to acorrection operation, wherein the correction operation comprises an XORoperation based on the data retrieved from the system memory and areplacement value for a device of the system memory. Additionally, theprocessor can decrypt the data stored in the system memory in responseto detecting the recalculated second MAC matches the first MAC, andtransmit the decrypted data to cache.

Alternatively, or in addition, the correction operation comprisesrecalculating the second MAC for a plurality of devices of the systemmemory. Alternatively, or in addition, the processor is to execute theXOR operation for each of the plurality of devices, wherein the XORoperation is based on the replacement value and the data stored in eachof the plurality of devices with one device excluded. Alternatively, orin addition, the processor is to generate a non-correctable error inresponse to detecting the recalculated second MAC does not match thefirst MAC for each device of the system memory. Alternatively, or inaddition, the processor is to decrypt a block of the data stored in thesystem memory, wherein a size of the block corresponds to a size of ablock cipher's input or output, determine that entropy of plaintext inthe decrypted block of the data is above a threshold level, and performthe correction command on each device in the system memory storing aportion of the block of the data. Alternatively, or in addition, theprocessor comprises logic to execute the correction command in aparallel pipeline, wherein the parallel pipeline comprises generatingthe second MAC with the replacement value for each device of the systemmemory. Alternatively, or in addition, the processor is to generate ablock correction value. Alternatively, or in addition, the processor isto rekey the first MAC and the second MAC in response to expiration of apredetermined period of time.

EXAMPLE 2

In one embodiment, a system for managing encrypted data comprises aprocessor to store an encrypted first block correction value based ondata stored in system memory in response to a write operation to thesystem memory. The processor can also detect a read operationcorresponding to the data stored in the system memory, and calculate asecond block correction value based on the data stored in the systemmemory, the second block correction value calculated based on an XORoperation comprising plaintext data stored in the system memory.Additionally, the processor can determine that the second blockcorrection value does not match a decrypted first block correctionvalue, determine that a stored first MAC value does not match acalculated second MAC, and recalculate the second block correction valuewith a correction operation, wherein the correction operation comprisesan XOR operation based on decrypted data stored in the system memory anda replacement value for a device of the system memory. Furthermore, theprocessor can decrypt the data stored in the system memory in responseto detecting the recalculated second MAC matches the first blockcorrection value, and transmit the decrypted data to a cache device.

Alternatively, or in addition, the processor is to generate a first MACbased on an XOR operation comprising cipher text data stored in thesystem memory. Alternatively, or in addition, the processor is todecrypt the data stored in the system memory and the first blockcorrection value. Alternatively, or in addition, the system comprises asingle device in the system memory to store the first block correctionvalue.

EXAMPLE 3

In one example, a method for managing encrypted memory comprises storinga first message authentication code (MAC) based on data being stored insystem memory in response to a write operation to the system memory. Themethod can also include detecting a read operation corresponding to thedata stored in the system memory, calculating a second MAC based on thedata retrieved from the system memory, and determining that the secondMAC does not match the first MAC. Additionally, the method can includerecalculating the second MAC subsequent to a correction operation,wherein the correction operation comprises an XOR operation based on thedata retrieved from the system memory and a replacement value for adevice of the system memory. Furthermore, the method can includedecrypting the data stored in the system memory in response to detectingthe recalculated second MAC matches the first MAC, and transmitting thedecrypted data to cache.

Alternatively, or in addition, the correction operation comprisesrecalculating the second MAC for a plurality of devices of the systemmemory. Alternatively, or in addition, the method includes executing theXOR operation for each of the plurality of devices, wherein the XORoperation is based on the replacement value and the data stored in eachof the plurality of devices with one device excluded. Alternatively, orin addition, the method includes generating a non-correctable error inresponse to detecting the recalculated second MAC does not match thefirst MAC for each device of the system memory. Alternatively, or inaddition, the method includes decrypting a block of the data stored inthe system memory, wherein a size of the block corresponds to a size ofa block cipher's input or output, determining that entropy of plaintextin the decrypted block of the data is above a threshold level, andperforming the correction command on each device in the system memorystoring a portion of the block of the data. Alternatively, or inaddition, the method includes executing the correction command in aparallel pipeline, wherein the parallel pipeline comprises generatingthe second MAC with the replacement value for each device of the systemmemory. Alternatively, or in addition, the method includes generating ablock correction value. Alternatively, or in addition, the methodincludes rekeying or re-encrypting based on a new key the first MAC andthe second MAC in response to expiration of a predetermined period oftime.

EXAMPLE 4

In one embodiment, a method for managing encrypted data comprisesstoring an encrypted first block correction value based on data storedin system memory in response to a write operation to the system memory.The method can also include detecting a read operation corresponding tothe data stored in the system memory, and calculating a second blockcorrection value based on the data stored in the system memory, thesecond block correction value calculated based on an XOR operationcomprising plaintext data stored in the system memory. Additionally, themethod can include determining that the second block correction valuedoes not match a decrypted first block correction value, determiningthat a stored first MAC value does not match a calculated second MAC,and recalculating the second block correction value with a correctionoperation, wherein the correction operation comprises an XOR operationbased on decrypted data stored in the system memory and a replacementvalue for a device of the system memory. Furthermore, the method caninclude decrypting the data stored in the system memory in response todetecting the recalculated second MAC matches the first block correctionvalue, and transmitting the decrypted data to a cache device.

Alternatively, or in addition, the method can include generating a firstMAC based on an XOR operation comprising cipher text data stored in thesystem memory. Alternatively, or in addition, the method can includedecrypting the data stored in the system memory and the first blockcorrection value. Alternatively, or in addition, the method can includeusing a single device in the system memory to store the first blockcorrection value.

EXAMPLE 5

In one embodiment, a non-transitory computer readable media for managingencrypted memory comprises a plurality of instructions that, in responseto execution by a processor, cause the processor to store a firstmessage authentication code (MAC) based on data stored in system memoryin response to a write operation to the system memory. The processor canalso detect a read operation corresponding to the data stored in thesystem memory, calculate a second MAC based on the data retrieved fromthe system memory, and determine that the second MAC does not match thefirst MAC. Furthermore, the processor can also recalculate the secondMAC subsequent to a correction operation, wherein the correctionoperation comprises an XOR operation based on the data retrieved fromthe system memory and a replacement value for a device of the systemmemory. Additionally, the processor can decrypt the data stored in thesystem memory in response to detecting the recalculated second MACmatches the first MAC, and transmit the decrypted data to cache.

Alternatively, or in addition, the correction operation comprisesrecalculating the second MAC for a plurality of devices of the systemmemory. Alternatively, or in addition, the processor is to execute theXOR operation for each of the plurality of devices, wherein the XORoperation is based on the replacement value and the data stored in eachof the plurality of devices with one device excluded. Alternatively, orin addition, the processor is to generate a non-correctable error inresponse to detecting the recalculated second MAC does not match thefirst MAC for each device of the system memory. Alternatively, or inaddition, the processor is to decrypt a block of the data stored in thesystem memory, wherein a size of the block corresponds to a size of ablock cipher's input or output, determine that entropy of plaintext inthe decrypted block of the data is above a threshold level, and performthe correction command on each device in the system memory storing aportion of the block of the data. Alternatively, or in addition, theprocessor comprises logic to execute the correction command in aparallel pipeline, wherein the parallel pipeline comprises generatingthe second MAC with the replacement value for each device of the systemmemory. Alternatively, or in addition, the processor is to generate ablock correction value. Alternatively, or in addition, the processor isto rekey the first MAC and the second MAC in response to expiration of apredetermined period of time.

EXAMPLE 6

In one embodiment, a non-transitory computer readable media for managingencrypted memory comprises a plurality of instructions that, in responseto execution by a processor, cause the processor to store an encryptedfirst block correction value based on data stored in system memory inresponse to a write operation to the system memory. The processor canalso detect a read operation corresponding to the data stored in thesystem memory, and calculate a second block correction value based onthe data stored in the system memory, the second block correction valuecalculated based on an XOR operation comprising plaintext data stored inthe system memory. Additionally, the processor can determine that thesecond block correction value does not match a decrypted first blockcorrection value, determine that a stored first MAC value does not matcha calculated second MAC, and recalculate the second block correctionvalue with a correction operation, wherein the correction operationcomprises an XOR operation based on decrypted data stored in the systemmemory and a replacement value for a device of the system memory.Furthermore, the processor can decrypt the data stored in the systemmemory in response to detecting the recalculated second MAC matches thefirst block correction value, and transmit the decrypted data to a cachedevice.

Alternatively, or in addition, the processor is to generate a first MACbased on an XOR operation comprising cipher text data stored in thesystem memory. Alternatively, or in addition, the processor is todecrypt the data stored in the system memory and the first blockcorrection value. Alternatively, or in addition, the system comprises asingle device in the system memory to store the first block correctionvalue.

Although an example embodiment of the disclosed subject matter isdescribed with reference to block and flow diagrams in FIGS. 1-11,persons of ordinary skill in the art will readily appreciate that manyother methods of implementing the disclosed subject matter mayalternatively be used. For example, the order of execution of the blocksin flow diagrams may be changed, and/or some of the blocks in block/flowdiagrams described may be changed, eliminated, or combined.

In the preceding description, various aspects of the disclosed subjectmatter have been described. For purposes of explanation, specificnumbers, systems and configurations were set forth in order to provide athorough understanding of the subject matter. However, it is apparent toone skilled in the art having the benefit of this disclosure that thesubject matter may be practiced without the specific details. In otherinstances, well-known features, components, or modules were omitted,simplified, combined, or split in order not to obscure the disclosedsubject matter.

Various embodiments of the disclosed subject matter may be implementedin hardware, firmware, software, or combination thereof, and may bedescribed by reference to or in conjunction with program code, such asinstructions, functions, procedures, data structures, logic, applicationprograms, design representations or formats for simulation, emulation,and fabrication of a design, which when accessed by a machine results inthe machine performing tasks, defining abstract data types or low-levelhardware contexts, or producing a result.

Program code may represent hardware using a hardware descriptionlanguage or another functional description language which essentiallyprovides a model of how designed hardware is expected to perform.Program code may be assembly or machine language or hardware-definitionlanguages, or data that may be compiled and/or interpreted. Furthermore,it is common in the art to speak of software, in one form or another astaking an action or causing a result. Such expressions are merely ashorthand way of stating execution of program code by a processingsystem which causes a processor to perform an action or produce aresult.

Program code may be stored in, for example, volatile and/or non-volatilememory, such as storage devices and/or an associated machine readable ormachine accessible medium including solid-state memory, hard-drives,floppy-disks, optical storage, tapes, flash memory, memory sticks,digital video disks, digital versatile discs (DVDs), etc., as well asmore exotic mediums such as machine-accessible biological statepreserving storage. A machine readable medium may include any tangiblemechanism for storing, transmitting, or receiving information in a formreadable by a machine, such as antennas, optical fibers, communicationinterfaces, etc. Program code may be transmitted in the form of packets,serial data, parallel data, etc., and may be used in a compressed orencrypted format.

Program code may be implemented in programs executing on programmablemachines such as mobile or stationary computers, personal digitalassistants, set top boxes, cellular telephones and pagers, and otherelectronic devices, each including a processor, volatile and/ornon-volatile memory readable by the processor, at least one input deviceand/or one or more output devices. Program code may be applied to thedata entered using the input device to perform the described embodimentsand to generate output information. The output information may beapplied to one or more output devices. One of ordinary skill in the artmay appreciate that embodiments of the disclosed subject matter can bepracticed with various computer system configurations, includingmultiprocessor or multiple-core processor systems, minicomputers,mainframe computers, as well as pervasive or miniature computers orprocessors that may be embedded into virtually any device. Embodimentsof the disclosed subject matter can also be practiced in distributedcomputing environments where tasks may be performed by remote processingdevices that are linked through a communications network.

Although operations may be described as a sequential process, some ofthe operations may in fact be performed in parallel, concurrently,and/or in a distributed environment, and with program code storedlocally and/or remotely for access by single or multi-processormachines. In addition, in some embodiments the order of operations maybe rearranged without departing from the spirit of the disclosed subjectmatter. Program code may be used by or in conjunction with embeddedcontrollers.

While the disclosed subject matter has been described with reference toillustrative embodiments, this description is not intended to beconstrued in a limiting sense. Various modifications of the illustrativeembodiments, as well as other embodiments of the subject matter, whichare apparent to persons skilled in the art to which the disclosedsubject matter pertains are deemed to lie within the scope of thedisclosed subject matter.

What is claimed is:
 1. A system for managing encrypted memorycomprising: a processing unit to: store a first message authenticationcode (MAC) based on data being stored in system memory in response to awrite operation to the system memory; detect a read operationcorresponding to the data stored in the system memory; calculate asecond MAC based on the data retrieved from the system memory; determinethat the second MAC does not match the first MAC; recalculate the secondMAC subsequent to a correction operation, wherein the correctionoperation comprises an XOR operation based on the data retrieved fromthe system memory and a replacement value for a device of the systemmemory; decrypt the data stored in the system memory in response todetecting the recalculated second MAC matches the first MAC; transmitthe decrypted data to cache; decrypt a block of the data stored in thesystem memory, wherein a size of the block corresponds to a size of ablock cipher's input or output; determine that entropy of plaintext inthe decrypted block of the data is above a threshold level; and performthe correction operation on each device in the system memory storing aportion of the block of the data.
 2. The system of claim 1, wherein thecorrection operation comprises recalculating the second MAC for aplurality of devices of the system memory.
 3. The system of claim 2,wherein the processor is to execute the XOR operation for each of theplurality of devices, wherein the XOR operation is based on thereplacement value and the data stored in each of the plurality ofdevices with one device excluded.
 4. The system of claim 1, wherein theprocessor is to generate a non-correctable error in response todetecting the recalculated second MAC does not match the first MAC foreach device of the system memory.
 5. The system of claim 1, wherein theprocessor comprises logic to execute the correction operation in aparallel pipeline, wherein the parallel pipeline comprises generatingthe second MAC with the replacement value for each device of the systemmemory.
 6. The system of claim 1, wherein the processor is to generate ablock correction value.
 7. The system of claim 1, wherein the processoris to rekey the first MAC and the second MAC in response to expirationof a predetermined period of time.
 8. The system of claim 7, wherein theprocessor is to rekey the first MAC and the second MAC based on a memoryrefresh rate, wherein the rekeying comprises: detecting a second readoperation; comparing the first MAC with a previously stored key;re-computing the first MAC with a new key; and storing the first MACencrypted with the new key in the system memory.
 9. A system formanaging encrypted data comprising: a processor to: store an encryptedfirst block correction value based on data stored in system memory inresponse to a write operation to the system memory; detect a readoperation corresponding to the data stored in the system memory;calculate a second block correction value based on the data stored inthe system memory, the second block correction value calculated based onan XOR operation comprising plaintext data stored in the system memory;determine that the second block correction value does not match adecrypted first block correction value; determine that a stored firstMAC value does not match a calculated second MAC; recalculate the secondblock correction value with a correction operation, wherein thecorrection operation comprises an XOR operation based on decrypted datastored in the system memory and a replacement value for a device of thesystem memory; decrypt the data stored in the system memory in responseto detecting the recalculated second MAC value matches the first blockcorrection value; transmit the decrypted data to a cache device; decrypta block of the data stored in the system memory, wherein a size of theblock corresponds to a size of a block cipher's input or output;determine that entropy of plaintext in the decrypted block of the datais above a threshold level; and perform the correction operation on eachdevice in the system memory storing a portion of the block of the data.10. The system of claim 9, wherein the processor is to generate thefirst MAC based on an XOR operation comprising cipher text data storedin the system memory.
 11. The system of claim 9, wherein the processoris to decrypt the data stored in the system memory and the first blockcorrection value.
 12. The system of claim 9, wherein the systemcomprises a single device in the system memory to store the first blockcorrection value.
 13. A method for managing encrypted memory comprising:storing a first message authentication code (MAC) based on data beingstored in system memory in response to a write operation to the systemmemory; detecting a read operation corresponding to the data stored inthe system memory; calculating a second MAC based on the data retrievedfrom the system memory; determining that the second MAC does not matchthe first MAC; recalculating the second MAC subsequent to a correctionoperation, wherein the correction operation comprises an XOR operationbased on the data retrieved from the system memory and a replacementvalue for a device of the system memory; decrypting the data stored inthe system memory in response to detecting the recalculated second MACmatches the first MAC; transmitting the decrypted data to cache;decrypting a block of the data stored in the system memory, wherein asize of the block corresponds to a size of a block cipher's input oroutput; determining that entropy of plaintext in the decrypted block ofthe data is above a threshold level; and performing the correctionoperation on each device in the system memory storing a portion of theblock of the data.
 14. The method of claim 13, wherein the correctionoperation comprises recalculating the second MAC for a plurality ofdevices of the system memory.
 15. The method of claim 14 comprisingexecuting the XOR operation for each of the plurality of devices,wherein the XOR operation is based on the replacement value and the datastored in each of the plurality of devices with one device excluded. 16.The method of claim 13, comprising generating a non-correctable error inresponse to detecting the recalculated second MAC does not match thefirst MAC for each device of the system memory.
 17. The method of claim13, comprising rekeying or re-encrypting based on a new key the firstMAC and the second MAC in response to expiration of a predeterminedperiod of time.
 18. A non-transitory computer readable media formanaging encrypted memory comprising a plurality of instructions that,in response to execution by a processor, cause the processor to: store afirst message authentication code (MAC) based on data being stored insystem memory in response to a write operation to the system memory;detect a read operation corresponding to the data stored in the systemmemory; calculate a second MAC based on the data retrieved from thesystem memory; determine that the second MAC does not match the firstMAC; recalculate the second MAC subsequent to a correction operation,wherein the correction operation comprises an XOR operation based on thedata retrieved from the system memory and a replacement value for adevice of the system memory; decrypt the data stored in the systemmemory in response to detecting the recalculated second MAC matches thefirst MAC; transmit the decrypted data to cache; decrypt a block of thedata stored in the system memory, wherein a size of the blockcorresponds to a size of a block cipher's input or output; determinethat entropy of plaintext in the decrypted block of the data is above athreshold level; and perform the correction operation on each device inthe system memory storing a portion of the block of the data.
 19. Thenon-transitory computer-readable media of claim 18, wherein thecorrection operation comprises recalculating the second MAC for aplurality of devices of the system memory.
 20. The non-transitorycomputer-readable media of claim 19, wherein the processor is to executethe XOR operation for each of the plurality of devices, wherein the XORoperation is based on the replacement value and the data stored in eachof the plurality of devices with one device excluded.
 21. Thenon-transitory computer-readable media of claim 18, wherein theprocessor is to generate a non-correctable error in response todetecting the recalculated second MAC does not match the first MAC foreach device of the system memory.